An Improvement of Robust Biometrics-Based Authentication and Key Agreement Scheme for Multi-Server Environments Using Smart Cards

In multi-server environments, user authentication is a very important issue because it provides the authorization that enables users to access their data and services; furthermore, remote user authentication schemes for multi-server environments have solved the problem that has arisen from user’s management of different identities and passwords. For this reason, numerous user authentication schemes that are designed for multi-server environments have been proposed over recent years. In 2015, Lu et al. improved upon Mishra et al.’s scheme, claiming that their remote user authentication scheme is more secure and practical; however, we found that Lu et al.’s scheme is still insecure and incorrect. In this paper, we demonstrate that Lu et al.’s scheme is vulnerable to outsider attack and user impersonation attack, and we propose a new biometrics-based scheme for authentication and key agreement that can be used in multi-server environments; then, we show that our proposed scheme is more secure and supports the required security properties.


Introduction
Since Lamport [1] proposed the first password-based authentication scheme for insecure communications in 1981, password-based authentication schemes [2][3][4][5][6] have been extensively investigated. The remote user authentication scheme is one of the most convenient authentication schemes for dealing with the transmission of secret data over insecure communication channels, and during the last two decades, many researchers have proposed different remote user authentication schemes.
A problem that occurs with respect to password-based authentication schemes, however, is that a server must maintain a password table for the verification of the legitimacy of a login user; therefore, the server requires additional memory space to store the password table. For this reason, many researchers have proposed a new type of remote user authentication scheme whereby the biological characteristics of persons such as a fingerprint or an iris are used. The main advantageous property of biometrics is uniqueness, leading to the proposal of numerous remote user authentication schemes [7][8][9][10][11][12][13] that use biological characteristics. In 2008, Tsai [14] proposed an efficient multi-server authentication scheme using a random number and the oneway hash function; after that, a considerable succession of authenticated key agreement schemes was presented for multi-server environments [15][16][17]. In 2012, Li et al. [18] proposed a novel authenticated key exchange scheme for multi-server environments; unfortunately, however, Xue et al. [19] found that Li et al.'s scheme did not resist some types of known attacks such as replay, denial of service, forgery, and off-line password guessing. Xue et al. therefore proposed an improved scheme to remedy the weaknesses of Li et al.'s scheme; nevertheless, Lu et al. [20] showed that Xue et al.'s scheme is not only very insecure against impersonation and insider attacks, but that it is also vulnerable to off-line password guessing attack. To overcome the vulnerability of Xue et al.'s scheme, Lu et al. then proposed a slightly modified authentication scheme for multi-server environments. Recently, Chuang et al. [21] presented an efficient, biometrics-based, smart card authentication scheme for a multi-server environment that was previously considered as one that comprises more security properties; however, Mishra et al. [22] found that Chuang et al.'s scheme is vulnerable to a stolen smart card, server spoofing, and impersonation attacks. Mishra et al. also proposed an improved biometrics-based, multi-server authenticated key agreement scheme for which smart cards are used, and they claimed that their scheme satisfied all of the desirable security requirements; unfortunately, Lu et al. [23] showed that Mishra et al.'s scheme did not satisfy key security attributes including replay attack and the incorrect password change phase. Lu et al. then proposed a biometrics-based smart card scheme for authentication and key agreement that can be used in multi-server environments, claiming that their scheme is secure against a variety of known attacks; however, we found that Lu et al.'s scheme is still insecure and is incorrect regarding the login and authentication phase.
In this paper, we concentrate on the security weaknesses of Lu et al.'s biometrics-based authentication scheme. After a careful analysis, we found that their scheme does not effectively resist outsider and impersonation attacks; to resolve these security vulnerabilities, we propose a new biometrics-based scheme for authentication and key agreement that can be used in a multi-server environment. In addition, we demonstrate that the proposed scheme provides a strong authentication defense against a number of attacks including the attacks of the original scheme. Lastly, we compare the performance and functionality of the proposed scheme with other related schemes.
The rest of the paper is organized as follows: In section 2 and section 3, we review and analyze, respectively, Lu et al.'s scheme; in Section 4, we propose an improved authentication scheme for multi-server environments; in section 5, we present a security analysis of our scheme; section 6 shows security and performance analyses whereby our scheme is compared with previous schemes; and, our conclusion is presented in section 7.

Review of Lu et al.'s scheme
In this section, we will review Lu et al.'s biometrics-based scheme for authentication and key agreement that can be used in a multi-server environment. The following three participants are involved: the user U i , the server S j , and the registration center RC. The RC chooses a secret key PSK and a secret number x and shares them with S j over a secure channel. The scheme consists of the registration, login and authentication, and password updating. For convenience, some of the notations that are used in Lu et al.'s scheme are described in Table 1. 2. After receiving the message from U i , the RC computes Login and authentication 1. U i inserts his/her smart card into the device and enters his/her identity ID i , password PW i and biometrics BIO i ; then, the smart card validates whether V 0 i ¼ hðID i k hðPW i k HðBIO i ÞÞÞ is equal to the stored V i ; if validation occurs, the smart card generates a random number n 1 and computes K = h((Y i È y) k SID j ), M 1 = K È ID i , M 2 = n 1 È K, M 3 = h(PW i k H(BIO i )) È K, and Z i = h(X i k n 1 k h(PW i k H(BIO i )) k T 1 ). Lastly, U i sends {Z i ,M 1 ,M 2 ,M 3 , T 1 } to S j over a public channel, where T 1 is the current timestamp.
2. After receiving the message from U i , S j first checks whether T c − T 1 4T and then computes K = h(SID j k h(PSK)) by using a secure pre-shared key PSK; then S j retrieves and verifies whether hðX i k n 1 k hðPW i k HðBIO i ÞÞ k T 1 Þ ¼ ? Z i ; if it holds, S j generates a random number n 2 and computes SK ji = h(n 1 k n 2 k K k X i ), M 4 = n 2 È h(n 1 k h(PW i k H (BIO i )) k X i ), and M 5 = h(ID i k n 1 k n 2 k K k T 2 ). Then, S j sends back the authentication message {M 4 ,M 5 ,T 2 } to U i , where T 2 is the current timestamp.
3. Upon checking the freshness of T 2 , U i first computes n 2 = M 4 È h(n 1 k h(PW i k H(BIO i )) k X i ) and then verifies whether h(ID i k n 1 k n 2 k K k T 2 ) is equal to the received M 5 ; if they are equal, U i computes the common session key SK ij = h(n 1 k n 2 k K k X i ) and sends {M 6 4. S j verifies the freshness of T 3 and the correctness of M 6 by using SK ji , and if they do not hold, S j stops the execution; otherwise, S j confirms the common session key SK ji with U i .

Password updating
U i first inputs his/her smart card into the device and provides his/her identity ID i , password PW i and biometrics BIO i . The smart card then validates whether V 0 i ¼ hðID i k hðPW i k HðBIO i ÞÞÞ is equal to the stored V i ; if they are equal, U i keys in the new password PW i(new) , but

Security analysis of Lu et al.'s scheme
According to [24,25], in the basic adversary model, a probabilistic polynomial-time (PPT) adversary A can have a full control over all communication messages. The adversary A then can read, modify or delete all communication messages transmitted between a user and the server. Furthermore, power analysis attacks [26] can extract all of the information from the smart card by using the side channel attack. Lu et al. claimed that their scheme could resist a session-key attack; however, we demonstrated that their scheme is still insecure against a session key attack. We also found that their scheme is unable to provide protection against outsider and user impersonation attacks, and it cannot support user anonymity; furthermore, a number of the phases of Lu et al.'s scheme are not correct and we point out the details of these problems in the following subsections.

Incorrect login phase
During the login phase, the user U i inserts his/her smart card into the card reader, inputs his/ her identity ID i , password PW i , and then imprints his/her biometrics BIO i at the sensor. The smart card then validates whether , but this is actually impossible because the secret key y does not exist in the smart card. Lu et al. claimed that even if an adver- 3 ,T 1 } without the secret key y; therefore, we assumed that the secret key y is entered by user U i during the login process.

Incorrect authentication phase
During the authentication phase, the server S j computes K = h(SID j k h(PSK)) by using a secure pre-shared key PSK; however, the value K = h(SID j k h(PSK)) cannot be made equal to K = h ((Y i È y) k SID j ) = h(h(PSK) k SID j ) by computing U i . We therefore assumed that server S j computes K = h(h(PSK) k SID j )).

Outsider Attack
During the registration phase, the RC stores {X i ,V i ,h(PSK)} onto a smart card and submits them to U i . After receiving the smart card, U i computes Y i = h(PSK) È y, and replaces h(PSK) with Y i . Let A who is in possession of the smart card extracted information fX A ; V A ; hðPSKÞg, be an active adversary of the legal user; then, A can easily compute K = h(h(PSK)||SID j ) that is the same for each legal user that belongs in the server S j . Furthermore, if A intercepts his/her own login request message fZ A ;

Violation of the Session Key Security
Suppose an outsider adversary A intercepts the communication between U i and S j and steals the smart card of U i ; then, he/she can obtain all of the messages {Z i ,M 1 ,M 2 ,M 3 ,M 4 ,M 5 ,M 6 ,T 1 , T 2 ,T 3 } and extract the information {X i ,Y i ,V i ,h(Á)}, thereby easily obtaining the session key that is transmitted between U i and S j . The details are described as follows.

User Impersonation Attack
As described in this subsection, A can also impersonate as a legal user to cheat S j when he/she knows the value of K. The details are described as follows.

1.
A generates a random number n 0 1 and computes After receiving the login request message from A who pretends to be U i , the message can successfully pass S j 's verification and S j performs the subsequent scheme normally. Lastly, S j sends the authenticated message fM 4 ; M 5 ; T 0 2 g to A, where n 0 2 and T 0 2 are the random number and the current timestamp on the server side, respectively.
3. Upon receiving the login response message from S j , A computes 4. Upon receiving the message from A, S j continues to proceed with the scheme without detection. Lastly, A and S j "successfully" agree on the session key SK ij , but unfortunately S j mistakenly believes that he/she is communicating with the legitimate, genuine U i .

User is not anonymous
Lu et al. claimed that U i 's identity ID i is well protected by the shared parameter K that is used as a substitute for the actual parameters. Additionally, an unauthorized server cannot obtain ID i without knowing K, since K is protected by a secret key PSK that is only known by the authorized server and is not exposed on the open channel. We found, however, that if the outsider adversary A can obtain h(PSK), then he/she can compute K = h(h(PSK) k SID j ); furthermore, A can also compute K ¼ M 3 È hðPW A k HðBIO A ÞÞ without h(PSK), meaning that A can compute ID i = M 1 È K. We therefore concluded that Lu et al.'s scheme cannot provide user anonymity.

Our proposed scheme
In this section, we will propose a new biometrics-based password authentication scheme for multi-server environments. In our scheme, there are also three participants, as follows: the user U i , the server S j , and the registration center RC. The RC chooses a secret key PSK and a secret number x, and then shares them with S j over a secure channel. Our proposed scheme consists of the following four phases as shown in Fig 1: registration, login, authentication, and password changing. For convenience, some of the notations that are used in our proposed scheme are described in Table 2.

Registration phase
1. U i inputs his/her biometrics BIO i and selects an identity ID i and a password PW i . Then, U i computes PWD i = h(PW i k H(BIO i )) and sends {ID i , PWD i } to the RC.
3. The RC sends the smart card SC i to U i over a secure channel and the registration phase is therefore complete.

Login phase
1. U i inserts his/her smart card into the card reader and enters identity ID i , password PW i and imprints biometrics BIO i ; then, the smart card SC i computes PWD i = h(PW i k H(BIO i )) to validate whether V 0 i ¼ hðID i k PWD i Þ is equal to the stored V i . If it holds, the smart card generates a random number n 1 and computes K = h((W i È ID i ) k SID j ), M 1 = K È ID i , M 2 = n 1 È K, M 3 = PWD i È K, and Z i = h(X i k n 1 k PWD i k T 1 ).
2. U i then sends {Y i ,Z i ,M 1 ,M 2 ,M 3 ,T 1 } to S j over a public channel, where T 1 is the current timestamp.

Authentication phase
1. After receiving the login request message from U i , S j first checks whether T c − T 1 4T so that it can then compute y i = Y i È h(PSK) by using a secure pre-shared key PSK; then, Next, S j computes X i = h(ID i k x) and verifies whether hðX i k n 1 k PWD i k T 1 Þ ¼ ? Z i . If it holds, S j generates a random number n 2 and computes SK ji = h(n 1 k n 2 k K k X i ), M 4 = n 2 È h(n 1 k PWD i k X i ), and M 5 = h(ID i k n 1 k n 2 k K k T 2 ). Then, S j sends the login response message {M 4 ,M 5 ,T 2 } to U i where T 2 is the current timestamp.
2. Upon checking the freshness of T 2 , U i first computes n 2 = M 4 È h(n 1 k PWD i k X i ) and then verifies whether h(ID i k n 1 k n 2 k K k T 2 ) is equal to the received M 5 . If they are equal, U i computes the common session key SK ij = h(n 1 k n 2 k K k X i ) and sends {M 6 = h(SK ij k ID i k n 2 k T 3 ), T 3 } to S j , where T 3 is the current timestamp.
3. S j verifies the freshness T 3 and the correctness of M 6 by using SK ji ; if they hold, S j confirms the common session key SK ji with U i , but otherwise, S j terminates this session.

Password updating
The password change is done locally without the involvement of the RC. If U i wants to change his/her password, he/she first inserts his/her smart card into a card reader and provides his/her identity ID i , password PW i and biometrics BIO i . The smart card SC i then computes PWD i = h (PW i k H(BIO i )) to validate whether V 0 i ¼ hðID i k PWD i Þ is equal to the stored V i . If they are equal, SC i accepts U i to enter a new password PW i(new) , but otherwise, the smart card rejects the password changing request. Lastly, SC i computes PWD i(new) = h(PW i(new) k H(BIO i )), and V i(new) = h(ID i k PWD i(new) ), and replaces V i with V i(new) .

Security analysis of our proposed scheme
In this section, we demonstrate that our scheme, which retains the merits of Lu et al.'s scheme, can withstand several types of possible attacks, and we also show that our scheme supports several security properties. The security analysis of our proposed scheme was conducted under the following four assumptions: 1. An adversary A can be either a user or a server. A registered user as well as a registered server can act as an adversary.
2. An adversary A can eavesdrop on every communication across public channels. He/she can capture any message that is exchanged between a user and a server.
3. An adversary A has the ability to alter, delete, or reroute a captured message.
4. Information can be extracted from the a smart card by examining the power consumption of the card.

Verifying the authentication scheme with BAN logic
Burrows-Abadi-Needham(BAN) logic [27] is a set of rules for the definition and analysis of information exchange protocols. Concretely, BAN logic helps its users to decide whether exchanged information is trustworthy, whether it is secured against eavesdropping, or both. In this subsection, we use BAN logic to prove that a shared session key between a user and a server can be correctly generated during the authentication process. Some of the notations and logical postulates [28] that are used in the BAN logic are described in Table 3. Table 3. Notations used in BAN Logic.

Pj X
The principal P believes the statement X .

#ðX Þ
The formula X is fresh.
The principal P has jurisdiction over the statement X .
The principals P and Q may use the shared key K.
P / X The principal P sees the statement X .
Pj $ X The principal P once said the statement X .
fX g K The formula X encrypted under the key K.

ðX Þ K
The formula X hashed under the key K .
hX i Y The formula X combined with the key Y.
P , X Q The formula X is a secret known only to P and Q. : If principle P believes that Q has jurisdiction over X and P believes that Q believes X , then P believes X .

Establishment of security goals
. Initiative premises p 1 . U i | #n 1 , p 2 . U i | S j ) #n 2 , p 3 . S j | #n 1 , p 4 . S j | #n 2 , Our proposed scheme analysis a 1 . By p 5 , S j ⊲ hy i i h(PSK) , and S j ⊲ hn i ,ID i ,PWD i i K , we apply the message-meaning rule to drive: S j | U i |*(n 1 ,ID i ,PWD i ) a 2 . By a 1 and p 3 , we apply the fresh conjuncatenation rule and the nonce-verification rule to derive: S j | U i | (n 1 ,ID i ,PWD i ) a 3 . By a 2 , p 3 and p 8 , we apply the belief rule and the jurisdiction rule to derive: S j | ID i a 4 . By a 3 and S j / ðn 2 ; U i $ SK ij S j ; T 3 Þ ID i , we apply the message-meaning rule to derive: By p 4 and a 4 , we apply the fresh conjuncatenation rule and the nonce-verification rule to drive: S j j U i j ðn 2 ; U i $ SK ij S j ; T 3 Þ g 1 . By a 5 , we apply the belief rule to derive: S j j U i j U i $ SK ij S j g 2 . By g 1 and p 1 , we apply the jurisdiction rule to derive: S j j U i $ SK ij S j a 6 . By p 6 and U i ⊲ (ID i ,n 1 ,n 2 ,T 2 ) K , we apply the message-meaning rule to derive: U i | S j | *(ID i ,n 1 ,n 2 ,T 2 ) a 7 . By p 2 and a 6 , we apply the fresh conjuncatenation rule and the nonce-verification rule to derive: U i | S j | (ID i ,n 1 ,n 2 ,T 2 ) a 8 . By a 7 , we apply the belief rule to derive: U i | S j | n 2 a 9 . By p 2 and a 8 , we apply the jurisdiction rule to derive: U i | n 2 a 10 . By a 9 and U i ⊲hn 1 ,X i ,PWD i i n 2 , we apply the message-meaning rule to derive: U i | S j | *(n 1 ,X i ,PWD i ) a 11 . By a 10 and p 1 , we apply the fresh conjuncatenation rule and the nonce-verification rule to derive: U i | S j | (n 1 ,X 1 ,PWD i ) g 3 . By p 1 , p 3 , p 4 , p 6 , a 11 and SK ij = h(n 1 k n 2 k K k X i ), we apply the fresh conjuncatenation rule and the nonce-verification rule to derive: U i j S j j U i $ SK ij S j g 4 . By g 3 and p 12 , we apply the jurisdiction rule to derive:

Informal security analysis
In this subsection, we verify whether our proposed scheme is secure against a variety of known attacks. Anonymity. Our proposed scheme can preserve the identity anonymity since ID i cannot be derived from M 1 without the knowledge of K; furthermore, K cannot be derived from Y i without the random number y i and the pre-shared secret key PSK. Also, owing to the one-way hash function, ID i cannot be derived from M 5 . Our proposed scheme therefore provides user anonymity.
Resisting outsider attack. Suppose that an adversary A extracts all of the information fV A ; W A ; X A ; Y A g from a smart card by using side channel attack; however, he/she cannot obtain any of the secret information of S j . A can compute hðy A k PSKÞ ¼ W A È ID A , but the value y A is a random number that is unique to the user that is selected by RC and PSK is the pre-shared secret key between the RC and S j ; therefore, A does not know and our proposed scheme can resist an outsider attack.
Resisting impersonation attack. Suppose that an adversary A intercepts all of message {Y i ,Z i ,M 1 ,M 2 ,M 3 ,M 4 ,M 5 ,M 6 ,T 1 ,T 2 ,T 3 } that are transmitted over a public channel between U i and S j ; however, A cannot generate the legal login request message {Y i ,Z i ,M 1 ,M 2 ,M 3 ,T 1 }, where Y i = y i È h(PSK), Z i = h(X i k n 1 k PWD i k T 1 ), M 1 = K È ID i , M 2 = n 1 È K and M 3 = PWD i È K, because the value y i is a random number that is unique to the user that is selected by the RC and n 1 is a random number that is generated by U i ; furthermore, A cannot generate the login response message {M 4 ,M 5 ,T 2 } without the random number n 2 . Our proposed scheme can therefore resist an impersonation attack.
Session key agreement. Suppose that an adversary A intercepts all of the message {Y i ,Z i , M 1 ,M 2 ,M 3 ,M 4 ,M 5 ,M 6 ,T 1 ,T 2 ,T 3 } that are transmitted over a public channel between U i and S j , steals the smart card of U i , and then extracts the all information {V i ,W i ,X i ,Y i ,h(Á),H(Á)}; however, A cannot compute the session key SK ij = h(n 1 k n 2 k K k X i ). To compute K from W i , the U i 's identity ID i is needed. To retrieve ID i from V i , A needs to know PW i and H(BIO i ). Since only U i can imprint the biometrics BIO i at the sensor, an adversary A cannot attain the U i 's identity ID i and PW i . Our proposed scheme can therefore provide session key security.

Formal security analysis
In this subsection, we demonstrate the formal security analysis of our proposed scheme and show that it is secure. First, we define the following hash function [29].
Definition 1. A secure one-way hash function h: {0, 1} Ã ! {0, 1} n , which takes an input as an arbitrary length binary string x 2 {0, 1} Ã and outputs a binary string h(x) 2 {0, 1} n , satisfies the following requirements: a. Given y 2 Y, it is computationally infeasible to find an x 2 X such that y = h(x):b. Given x 2 X, it is computationally infeasible to find another Theorem 1. Under the assumption that the one-way hash function h(Á) closely behaves like an oracle, then our proposed scheme is provably secure against an adversary A for the protection of a user's personal information including the identity ID i , password PW i and biometrics BIO i , a server's secret number x that is selected by the RC and a pre-shared secret key PSK that is between the RC and S j .
Proof. The formal security proof of our proposed scheme is similar to those in [23,29,30]. Using the following oracle to construct A who will have the ability to derive the user U i 's identity ID i , password PW i , biometrics BIO i , the server's secret number x that is selected by the RC, and a pre-shared secret key PSK between the RC and S j .
Reveal: This random oracle will unconditionally output the input x from the given hash result y = h(x). Now, A runs the experimental algorithm that is shown in Table 4, EXP JKMSE HASH;A for our proposed scheme JKMSE.
If the success probability of EXP JKMSE HASH;A is defined as Success JKMSE HASH;A ¼ jPr½EXP JKMSE HASH;A ¼ 1 À 1 j, the advantage function for this experiment then becomes Adv JKMSE HASH;A ðt; q R Þ ¼ max A Success JKMSE HASH;A , where the maximum is taken over all of A with the execution time t and the number of queries q R that are made to the Reveal oracle. Consider the experiment that is shown in Table 4 for A. If A has the ability to solve the hash function problem that is provided in Definition 1, then he/she can directly derive U i 's identity ID i , password PW i , biometrics BIO i , the server's secret number x that is selected by the RC and the pre-shared secret key PSK that is between the RC and S j . In this case, A will discover the complete connections between U i and S j ; however, it is a computationally infeasible problem to invert the input from a given hash value, i.e., Adv JKMSE HASH;A ðtÞ , 8 > 0. Then, we have Adv JKMSE HASH;A ðt; q R Þ , since Adv JKMSE HASH;A ðt; q R Þ depends on Adv JKMSE HASH;A ðtÞ. As a result, there is no way for A to discover the complete connections between U i and S j , and, by deriving (ID i ,PW i ,BIO i ,y i ,x,PSK), our proposed scheme is provably secure against an adversary.

Functional and performance analysis
In this section, we evaluate the functionality the computational costs comparisons between our proposed scheme and the other related schemes [18][19][20][21][22][23]. Table 5 lists the functionality comparisons of our proposed scheme with the other related schemes. The table shows that the proposed scheme achieves all of the security and functionality requirements and is more secure than the other related schemes.

Performance anaylsis
For the performance comparison, the definitions of T E and T H are the performance times of a symmetric encryption/decryption operation and a hash function, respectively. Recently, Xue and Hong [31] estimated the running time of different cryptographic operations whereby T E is nearly 0.45 ms on average, and T H is below 0.2 ms on average in the environment (CPU: 3.2 GHz, RAM: 3.0 G). Table 6 shows a comparison of the computational costs of the proposed scheme with the other related schemes. In the performance comparison, the proposed scheme requires a greater amount of computation to accomplish mutual authentication and the key agreement than Chuang et al.'s scheme as the proposed scheme performs four further hash operations; however, these operations consume a very small amount of time.

Conclusion
In this paper, we analyzed the security weaknesses of a biometrics-based authentication scheme for multi-server environments by Lu et al. Lu et al. claimed that their authentication scheme is secure and provides user anonymity; however, we found that Lu et al.'s scheme is still insecure against outsider attacks and impersonation attacks. To resolve these security vulnerabilities, we proposed an improved protocol for an authentication scheme that retains the merits of Lu et al.'s scheme and also achieves a comprehensive security. The security analysis of this paper explains that the proposed scheme rectifies the weaknesses of Lu et al.'s scheme.